Checkpoint Gaia Cli Commands
Note: Users can have all the required commands listed out in a simple text editor (Notepad, Notepad, Notepad2, PSPad, etc) and then paste them directly into the Clish command line at once to easily and quickly add all the necessary VLAN interfaces. Related documentation: Gaia Administration Guide (R75.40, R75.40VS, R76, R77.X, R80.10 R80.20).
With my most populous post 'Basic Checkpoint Gaia CLI Commands (Tips and Tricks)', I would like to collect some more advanced troubleshooting commands used in my daily work into this post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or IPSO platform as well. A lot of the expert mode commands are also available within GAiA clish as “extended command”. View complete list with the clish command “show extended commands”. Basic startng and stopping cpstopStop all Check Point services except cprid. Like a cheat sheet for CLI commands? CHECKPOINT GAIA CLISH COMMANDS. Save config: save the current configuration: show commands: shows all commands. A lot of the expert mode commands are also available within GAiA clish as “extended command”. View complete list with the clish command “show extended commands”. Basic startng and stopping cpstopStop all Check Point services except cprid.
CheckPoint Firewall (basic troubleshooting commands incl. clustering)
| cphaprob stat | List cluster status |
| cphaprob -a if | List status of interfaces |
| cphaprob syncstat | shows the sync status |
| cphaprob list | Shows a status in list form |
| cphastart/stop | Stops clustering on the specfic node |
| cp_conf sic | SIC stuff |
| cpconfig | config util |
| cplic print | prints the license |
| cprestart | Restarts all Check Point Services |
| cpstart | Starts all Check Point Services |
| cpstop | Stops all Check Point Services |
| cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
| cpwd_admin list | List checkpoint processes |
| cplic print | Print all the licensing information. |
| cpstat -f all polsrv | Show VPN Policy Server Stats |
| cpstat | Shows the status of the firewall |
| fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
| fw tab -t connections -s | Show connection stats |
| fw tab -t connections -f | Show connections with IP instead of HEX |
| fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
| fw tab -t peers_count -s | Shows VPN stats |
| fw tab -t userc_users -s | Shows VPN stats |
| fw checklic | Check license details |
| fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
| fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
| fw ctl arp | Shows arp table |
| fw ctl install | Install hosts internal interfaces |
| fw ctl ip_forwarding | Control IP forwarding |
| fw ctl pstat | System Resource stats |
| fw ctl uninstall | Uninstall hosts internal interfaces |
| fw exportlog .o | Export current log file to ascii file |
| fw fetch | Fetch security policy and install |
| fw fetch localhost | Installs (on gateway) the last installed policy. |
| fw hastat | Shows Cluster statistics |
| fw lichosts | Display protected hosts |
| fw log -f | Tail the current log file |
| fw log -s -e | Retrieve logs between times |
| fw logswitch | Rotate current log file |
| fw lslogs | Display remote machine log-file list |
| fw monitor | Packet sniffer |
| fw printlic -p | Print current Firewall modules |
| fw printlic | Print current license details |
| fw putkey | Install authenication key onto host |
| fw stat -l | Long stat list, shows which policies are installed |
| fw stat -s | Short stat list, shows which policies are installed |
| fw unloadlocal | Unload policy |
| fw ver -k | Returns version, patch info and Kernal info |
| fwstart | Starts the firewall |
| fwstop | Stop the firewall |
| fwm lock_admin -v | View locked admin accounts |
| fwm dbexport -f user.txt | used to export users , can also use dbimport |
| fwm_start | starts the management processes |
| fwm -p | Print a list of Admin users |
| fwm -a | Adds an Admin |
| fwm -r | Delete an administrator |
PROVIDER 1 Management
| mdsenv [cma name] | Sets the mds environment |
| mcd | Changes your directory to that of the environment. |
| mds_setup | To setup MDS Servers |
| mdsconfig | Alternative to cpconfig for MDS servers |
| mdsstat | To see the processes status |
| mdsstart_customer [cma name] | To start cma |
| mdsstop_customer [cma name] | To stop cma |
| cma_migrate | To migrate an Smart center server to CMA |
| cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN Troubleshooting
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
DEBUGGING PACKETFLOW
| fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
- CheckPoint article for performance troubleshooting on gateways (sk33781) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781
- CheckPoint article on how to troubleshoot cluster failovers (sk62570) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62570#ROUTED
- Like a cheat sheet for CLI commands? Go to http://www.roesen.org/files/cp_cli_ref_card.pdf
- Even more troubleshooting commands for GAIA available under: http://www.51sec.org/2015/10/21/advanced-checkpoint-gaia-cli-commands-tips-and-tricks/
- More CheckPoint related topics/articles https://blog.lachmann.org/?cat=20
CHECKPOINT GAIA CLISH COMMANDS
show commands
| save config | save the current configuration |
| show commands | shows all commands |
| show allowed-client all | show allowed clients |
| show arp dynamic all | displays the dynamic arp entries |
| show arp proxy all | shows proxy arp |
| show arp static all | displays all the static arp entry |
| show as | displays autonomous system number |
| show assets all | display hardware information |
| show bgp stats | shows bgp statistics |
| show bgp summary | shows summary information about bgp |
| show vrrp stats | show vrrp statistics |
| show bootp stats | shows bootp/dhcp relay statistics |
| show bootp interface | show all bootp/dhcp relay interfaces |
| show bonding group | show all bonding groups |
| show bridging groups | show all bridging groups |
| show backups | shows a list of local backups |
| show backup status | show the status of a backup or restore operation being performed |
| show backup last-successful | show the latest successful backup |
| show backup logs | show the logs of the recent backups/restores performed |
| show clock | show current clock |
| show configuration | show configuration |
| show-config state | shows the state of configuration either saved or unsaved |
| show date | shows date |
| show dns primary | shows primary dns server |
| show dns secondary | shows secondary dns server |
| show extended commands | shows all extended commands |
| show groups | shows all user groups |
| show hostname | show host name |
| show inactivity-timeout | shows inactivity-timeout settings |
| show interfaces | shows all interfaces |
| show interfaces ethx | shows settings related to an interface “x |
| show interfaces | show detailed information about all interfaces |
| show ipv6-state | shows ipv6 status as enabled or disabled |
| show management interface | shows management interface configuration |
| show ntp active | shows ntp status as enabled or disabled |
| show ntp servers | shows ntp servers |
| show ospf database | shows ospf database information |
| show ospf neighbors | shows ospf neighbors information |
| show ospf summary | shows ospf summary information |
| show pbr rules | shows policy based routing rules |
| show pbr summary | shows policy based routing summary information |
| show pbr tables | show pbr tables |
| show route | shows routing table |
| show routed version | shows information about routed version |
| show snapshots | shows a list of local snapshots |
| show snmp agent-version | shows whether the version is v1/v2/v3 |
| show snmp interfaces | shows snmp agent interface |
| show snmp traps receivers | shows snmp trap receivers |
| show time | shows local machine time |
| show timezone | show configured timezone |
| show uptime | show system uptime |
| show users | show configured users and their homedir, uid/gid and shell |
| show user <username> | shows settings related to a particular user |
| show version all | shows version related to os edition, kernel version, product version etc |
| show virtual-system all | show virtual-systems configured |
| show vpn tunnels | use to show the vpn tunnels |
| show vrrp stats | shows vrrp status |
| show vrrp interfaces | shows vrrp enabled interfaces |
set commands
| add allowed-client host any-host / add allowed-client host <ip address> | add any host to the allowed clients list/ add allowed client by ipv4 address |
| add backup local | create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances) |
| add backup scp ip value path value username value | adds backup to scp server |
| add backup tftp ip value [ interactive ] | adds backup to tftp server |
| add snapshot | create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers |
| add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all> | specifies syslog parameters |
| add user <username> uid <user-id-value> homedir | creates a user |
| expert | executes system shell |
| halt | put system to halt |
| history | shows command history |
| lock database override | overrides the config-lock settings |
| quit | exits out of a shell |
| reboot | reboots a system |
| restore backup local [value] | restores local backup interactively |
| rollback | ends the transaction mode by reverting the changes made during transaction |
| save config | save the current configuration |
| set backup restore local <filename> | restores a local backup |
| set core-dump <enable/disable> | enable/disable core dumps |
| set date yyyy-mm-dd | sets system date |
| set dhcp server enable | enable dhcp server |
| set dns primary <x.x.x.x> | sets primary dns ip address |
| set dns secondary <x.x.x.x> | sets secondary dns ip address |
| set expert-password | set or change password for entering into expert mode |
| set edition default <value> | set the default edition to 32-bit or 64-bit |
| set hostname <value> | sets system hostname |
| set inactivity-timeout <value> | sets the inactivity timeout |
| set interface ethx ipv4-address x.x.x.x mask-length 24 | adds ip address to an interface |
| set ipv6-state on/off | sets ipv6 status as on or off |
| set kernel-routes on/off | sets kernel routes to on/off state |
| set management interface <interface name> | sets an interface as management interface |
| set message motd value | sets message of the day |
| set ntp active on/off | activates ntp on/off |
| set ntp server primary x.x.x.x version <1/2/3/4> | sets primary ntp server |
| set ntp server secondary x.x.x.x version <1/2/3/4> | sets secondary ntp server |
| set snapshot revert<filename> | revert the machine to the selected snapshot |
| set snmp agent on/off | sets the snmp agent daemon on/off |
| set snmp agent-version <value> | sets snmp agent version |
| set snmp community <value> read-only | sets snmp readonly community string |
| add snmp interface <interface name> | sets snmp agent interface |
| set snmp traps receiver <ip address> version v1 community value | specifies trap receiver |
| set snmp traps trap <value> | set snmp traps |
| set static-route x.x.x.x/24 nexthop gateway address x.x.x.x on | adds specific static route |
| set time <value> | sets system time |
| set time zone <time-zone> | sets the time zone |
| set vsx off | sets vsx mode on |
| set vsx on | sets vsx mode off |
| set user <username> password | sets users password |
| set web session-timeout <value> | sets web configuration session time-out in minutes |
| set web ssl-port <value> | sets the web ssl-port for the system |
Lets talk basic configuration.
Checkpoint Gaia have brought a lot of cool features, which we use on a daily basis.
One of my favorites is the posibillity to perform easy deployment and backup of the configurations.
Checkpoint have over time worked with several different type of ways to perform backup, snapshots and others… (leaving the Management server out of this)
The one i use the most, is backing up the gaia configuration… why you may ask ?
Because it works every time.
True, it does not get all the Checkpoint relevant files on the Security Gateway, but it saves me time when i need to configure and deploy a fresh Checkpoint Security Gateway.
The Gaia cli offers the commands to configure the system.
We will take a look at how we can save the configuration to a file.
(To have Checkpoint save your configuration changes to the system, you need to perform “save config” form clish… notice that this is not the same as the “save configuration” command mentioned in this article.
Save config = save your changes to the database
Save configuration = save your configuration to a file)
We will be working in two modes.
Clish (left) and Expert (bash – right).
Checkpoint Gaia Cli Commands
when you login at your Security Gateway you will be met with one of these two prompts.
This is the clish prompt, and “gw2” is the hostname of my gateway.
gw2>
To get to Expert from cli, type “Expert“
This is as the name states, the Expert mode, and gaia cli commands does not work here..
(well you can make them work, but that is out of this scope)
[Expert@gw2:0]#
To get to cli from Expert, type “clish“
—————————–
To create a backup of your gaia configuration, you need to be in clish mode.
Perform the commands shown below, and you will create the backupfile “nameyourfile”
gw2>
gw2> save configuration nameyourfile
You may want to see whats inside the file, but remember that clish does not support native linux commands like ls or cat.
To view your backupfile, you need to get into expert mode.
gw2> expert
Enter expert password: (Entering my very secret password here)
ls to see the files in your home directory.
[Expert@gw2:0]# ls
ftw.txt nameyourfile
[Expert@gw2:0]# cat nameyourfile
This will show the Checkpoint Gaia configuration, and you can edit the file if you want to change something. If you want to perform a clean installation of a Security Gateway, you can modify and use this file to configure the settings on the gateway.
Now copy this file to usb or off the Checkpoint box and save it for later use.
Checkpoint Gaia Cli Commands Linux
For more info see Secure Knowledge article: sk91400